4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%
Severity: High
Date : 2020-02-06
CVE-ID : CVE-2019-18634
Package : sudo
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1093
The package sudo before version 1.8.31-1 is vulnerable to privilege
escalation.
Upgrade to 1.8.31-1.
The problem has been fixed upstream in version 1.8.31.
Ensure pwfeedback is disabled in /etc/sudoers with:
Defaults !pwfeedback
A flaw was found in the Sudo before version 1.8.31 application when the
โpwfeedbackโ option is set to true on the sudoers file. An
authenticated user can use this vulnerability to trigger a stack-based
buffer overflow under certain conditions even without Sudo privileges.
The buffer overflow may allow an attacker to expose or corrupt memory
information, crash the Sudo application, or possibly inject code to be
run as a root user.
An authenticated user is capable of escalating to root privileges.
https://www.sudo.ws/alerts/pwfeedback.html
https://www.sudo.ws/repos/sudo/rev/84640592b0ff
https://security.archlinux.org/CVE-2019-18634
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%